Use Lodash `escape` as a small security enhancement
What does this MR do and why?
There is one place that the user's username
is used in the users_select
code.
This MR uses Lodash's escape
to prevent any potentially manipulative content from being rendered directly into the UI.
Caveats
-
username
should never have dangerous content, because saving it isn't possible with any special characters - All the rest of the data is either already passed through
escape
or<%- %>
(which itself usesescape
).
Bottom Line
There's no security issue here as far as I can tell, but I'm adding escape
to the one place that doesn't seem to be escaped on the off chance that a username
somehow has malicious content.
This is a "maybe we can protect against a future mistake" addition.
Screenshots or screen recordings
There's no UI change with this MR.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.